Talos posted a blog, September 2015, which aimed to identify how often seemingly benign software can be rightly condemned for being a piece of malware. With this in mind, this blog presents an interesting piece of “software” which we felt deserved additional information disclosure. This software exhibits several questionable behaviors including:

  • Attempts to detect sandboxes via a number of techniques
  • Attempts to detect AV
  • Attempts to detect security tools and forensic software
  • Attempts to detect remote desktop
  • Secretly installs software on the end host without user interaction or EULAs
  • Informs C2 via encrypted channel what software was installed and what “effective_price” was associated with it




Talos Group

Talos Security Intelligence & Research Group